SB2019031303 - Multiple vulnerabilities in Microsoft Internet Explorer
Published: March 13, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-0768)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation of the Internet Explorer VBScript execution policy. A remote attacker can create a specially crafted web page, trick the victim into visiting it and trigger the VBScript engine to send requests that should otherwise be ignored.
2) Buffer overflow (CVE-ID: CVE-2019-0763)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-0761)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to Internet Explorer fails to validate the correct Security Zone of requests for specific URLs. A remote attacker can trick the victim to click on a specially crafted link and gain access to sensitive information.
4) Buffer overflow (CVE-ID: CVE-2019-0609)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Buffer overflow (CVE-ID: CVE-2019-0746)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the lastIndexOf method in JavaScript. A remote attacker can trick the victim to visit a specially crafted web oage, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Buffer overflow (CVE-ID: CVE-2019-0780)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Buffer overflow (CVE-ID: CVE-2019-0783)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Buffer overflow (CVE-ID: CVE-2019-0680)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Buffer overflow (CVE-ID: CVE-2019-0665)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the CustomEvent object in VBScript engine. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Buffer overflow (CVE-ID: CVE-2019-0667)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the VBScript engine. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Buffer overflow (CVE-ID: CVE-2019-0666)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the VBScript engine. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Origin validation error (CVE-ID: CVE-2019-0762)
The vulnerability allows a remote attacker ti bypass certain security restrictions.
The vulnerability exists due to incorrect handling of requests coming from different origins. A remote attacker can trick the victim to visit a specially crafted website, bypass Same-Site cookie restrictions and gain access to sensitive information from another domain.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0768
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0763
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0761
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0609
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0746
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0780
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0783
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0680
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0665
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0667
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0666
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0762